Get fresh insights, pro tips, and thought starters–only the best of posts for you.
Cyber security hashing is the process of converting data into a fixed-length string, called a hash value or digest, using a mathematical algorithm. The same input should always create the same hash, but even a tiny change in the input should produce a very different result.
Hashing is widely used to verify data integrity, protect stored passwords, support digital signatures, and identify files or secrets without exposing the original data.
A hash function takes an input, such as a password, file, certificate, API key, or message, and produces a unique-looking output. For example, a document and a modified copy of that document should generate different hash values.
Good cryptographic hash functions are designed to be one-way. This means the original input should not be practically recoverable from the hash alone. They also aim to reduce collisions, where two different inputs produce the same hash.
Common cryptographic hash algorithms include SHA-256 and SHA-3. Older algorithms such as MD5 and SHA-1 are no longer recommended for security-sensitive use because practical weaknesses have been found.
Hashing helps security teams prove that data has not changed. If a downloaded software package has the expected hash, it is more likely to be the same file the publisher released. If the hash differs, the file may be corrupted, modified, or malicious.
In password security, systems should store salted password hashes instead of plain-text passwords. A salt is a unique random value added before hashing, making it harder for attackers to reuse precomputed password-cracking tables.
In cryptography and PKI, hashes are also used inside digital signatures. The system signs a hash of the data instead of signing the entire data directly, making the process efficient while still protecting integrity.
Hashing and encryption are often confused, but they solve different problems. Hashing is one-way and mainly supports verification, while encryption is reversible with the correct key and protects confidentiality.
| Hashing | Encryption |
|---|---|
| Creates a fixed-length digest from data. | Converts readable data into ciphertext. |
| Designed to be one-way. | Designed to be reversed with a valid key. |
| Used to verify integrity or compare values. | Used to protect confidentiality. |
| Best for passwords, file checks, and signatures. | Best for documents, messages, and stored secrets that must be recovered. |
For example, a password should usually be hashed, not encrypted, because the system only needs to verify it. A confidential document should be encrypted because authorized users need to recover the original content.
Businesses use hashing across identity, endpoint, application, and compliance workflows. Security tools may compare file hashes to detect known malware, verify software integrity, or track configuration changes.
In device management and secrets management contexts, hashing can help validate sensitive values without displaying them. Platforms such as Hexnode can support broader security operations by helping organizations enforce device controls, reduce risky configurations, and protect access to corporate resources.
A secure hashing approach depends on both the algorithm and implementation. Organizations should use modern algorithms, apply salts where needed, and choose purpose-built password hashing methods such as bcrypt, scrypt, or Argon2 for credential storage.
Hashing is powerful, but it is not a complete security control by itself. It works best when combined with strong access controls, key management, monitoring, patching, and secure endpoint policies.
Yes. Attackers can guess passwords, hash each guess, and compare the results. Strong passwords, unique salts, rate limiting, and password hashing algorithms make cracking much harder.
Hashing is part of how digital signatures work in certificate-based trust. It helps verify that signed certificate data or messages have not been altered.
Systems can store hashes of API keys when they only need to verify submitted keys. If the original key must be shown again, encryption or a secrets manager is more appropriate.